Flaws Expose Sauter SCADA Systems to Takeover

Researchers at vulnerability management company Outpost24 have identified a series of vulnerabilities that can be exploited by a remote attacker to take complete control of Sauter’s moduWEB Vision SCADA product. The vendor has released a firmware update to address the issues.

Sauter is a Switzerland-based company that specializes in building automation and system integration products. moduWEB Vision is a web-based visualization solution designed to allow users to operate and monitor building technologies remotely.

One of the vulnerabilities identified by Outpost24 researchers is related to the existence of default accounts. Sauter instructs users to change the password of the administrator account, but there are other default accounts not covered in the vendor’s documentation.

While these accounts don’t have administrative privileges, accessing them allows an attacker to obtain the password hash for the admin account via a backup feature introduced in recent versions of Sauter moduWEB Vision.

According to experts, attackers don’t need to crack the hash to access the administrator account, and instead they can use the hash directly to authenticate on the system via what is known as a pass the hash attack. This insecure credential storage issue has been assigned the identifier CVE-2015-7914.

Once they gain access with administrator privileges, attackers can reset the system to its default configuration, change the configuration or disable devices, and modify all passwords.

Other authentication data found in the moduWEB Vision backup files is encrypted, but Outpost24 discovered that some of the passwords are transmitted in clear text (CVE-2015-7915) when populating the password field in cases where the “keep me logged in” feature is enabled. It’s worth noting that this feature is also present only on newer versions of the SCADA system.

This poorly protected password can be leveraged to access SMTP accounts used for email notifications.

“The emails are used to gather SCADA events and other information about enrolled systems, and this gets the attacker an initial foothold where additional information can be acquired, not only about the current SCADA system but regarding any other SCADA systems setup to use the same event management email account,” Outpost24 explained in a blog post.

In addition to using the pass the hash attack to gain administrator privileges, an authenticated attacker can also leverage a persistent cross-site scripting (XSS) vulnerability found in the user and events management panels to elevate privileges and execute commands on behalf of an administrator (CVE-2015-7916). The attacker can plant the XSS payload into the “username” field and it gets executed when a page containing the malicious code is accessed by the administrator.

A Shodan search shows that Sauter moduWEB Vision installations are exposed to the Internet and they are not difficult to pinpoint because the product runs on a less common web server that has specific header information, Outpost24 CSO Martin Jartelius told SecurityWeek.

“As always, if you have a home- or building automation system, those are built with other requirements than security in first place. A good solution is often to, regardless if you know of vulnerabilities in them or not, assume that there are associated risks, and deploy them in such a manner that you need to use a decent VPN to gain the initial access,” Jartelius explained via email.

The researcher said the vulnerabilities were reported to Sauter in April 2015 and they were completely patched in roughly 9 months, although the high risk issues were addressed sooner.

Sauter has released version 1.6.0 of the firmware to address the flaws, but Outpost24 says many systems remain unpatched, which is why the company has not disclosed technical details for some of the uncovered issues.

It’s worth noting that the security firm identified several weaknesses that have been fixed by the vendor, but only three of them have been assigned CVE identifiers. ICS-CERT has also published an advisory describing the security holes found by Outpost24.

Jartelius commended Sauter for being a responsive vendor and noted that the company’s platform has above average security.

Eduard Kovacs is an international correspondent for SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.